Fix Transitive npm Vulnerabilities npm
Fix CVEs in indirect/transitive npm dependencies. Paste package-lock.json to scan the full dependency tree and get override snippets.
⚠ The Problem
npm audit flags a vulnerability in a package you never directly installed. It exists inside a dependency of a dependency. npm audit fix often can't resolve it automatically.
Bad Configuration — package.json
# Your app depends on auth-lib@1.0.0 # auth-lib depends on qs@6.5.2 # qs@6.5.2 is affected by CVE-2022-24999 (HIGH)
Fixed Configuration — package.json
{
"overrides": {
"qs": "6.11.0"
}
}
✓ Fix
Add the overrides block to package.json to force npm to use the safe version of qs regardless of what auth-lib requests. Drop your package-lock.json into PackageFix for full transitive analysis. After updating, run npm install.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
What is a transitive vulnerability?
A vulnerability in a package you didn't directly install — it came in as a dependency of one of your dependencies.
How do I fix a transitive vulnerability without breaking my app?
Use npm overrides (npm v8+) to pin the vulnerable transitive dependency to a safe version. PackageFix generates the exact override snippet.
Does npm audit fix handle transitive vulnerabilities?
Often not. npm audit fix --force can break your app by making incompatible major version updates. The safe path is using overrides for transitive CVEs.
How deep does PackageFix scan?
Drop your package-lock.json alongside package.json — PackageFix parses the full lockfile tree and surfaces transitive CVEs with the exact dependency path.